URL Filtering on the EcoSGE platform

URL Filtering

EcoFilter

High-performance URL filtering of prohibited sites and user lists.

Advantages and basic features

The functionality of URL filtering implemented in the RDP.RU solutions allows telecom operators to comply with legal requirements in relation to filtering unwanted and prohibited resources on the Internet, as well as provide additional services such as “Safe Internet for Kids” with filtering by large lists (up to 30 million URLs).

URL filtering provides the host/path filtering for HTTP and hosts filtering for HTTPS for all TCP ports. Moreover, the lists of filtered URLs can be assigned to all subscribers at once, and to each personally, depending on the tariff plan. It is also possible to dynamically apply filtering rules to subscribers using the RADIUS protocol. The EcoFilter device can be supplemented with the functionality of a service gateway (bandwidth management, redirection to the Disconnect page, URL-based open garden, URL-based policing, CG-NAT).

The most common URL filtering scheme is the method, in which not all traffic is sent to the DPI system, but only a small part of it, prefiltered by routers (ACLs, delaying BGP routes, etc.). This approach has a fundamental fatal flaw. The fact is that many of the prohibited (and undesirable) sites are located on CDN networks and their IP addresses issued by DNS servers are constantly dynamically changing. In addition, HTTPS filtering requires all incoming traffic (it contains the host certificate), and if it is not there, such resources cannot be filtered correctly. Thus, the traffic that needs to be filtered simply does not get into the ACL and bypasses the filtering DPI equipment, which usually gives 1-2% of unwanted traffic passes.

Unlike most analogs oriented to handle the prefiltered traffic, EcoFilter has sufficient performance to analyze all traffic on all TCP ports, which guarantees 100% filtering. The DPI system performance is up to 160 Gbps in 1U, which is the best result in the Russian Federation and a good result even by world standards. If necessary, the performance is easily scalable by using multiple devices assembled in the LAG.

The EcoFilter solution provides mechanisms for detecting URLs in HTTP requests, even if the subscriber uses blocking bypass means, such as access using a non-standard port on the server, masking the URL by fragmenting a GET request, using a non-standard sequence of headers, etc. When a URL is found in the header, it is compared with the specified black and white lists.

The EcoFilter device allows to extract all GET requests from subscribers’ traffic and log them to an external server (collecting BIG data). The function of exporting information about GET requests makes it possible to analyze and build profiles of interests and risks – both for individual users and for the entire subscriber base of the provider. In addition, this functionality allows you to bring the control of subscribers outflow to a whole new level thanks to the ability to predict the loss of a particular subscriber.

URL-filtering wrong scheme
URL-filtering correct scheme

URL filtering methods

URL filtering methodIP address in the listhttp hostnamehttp hostname/path* before hostnamehttps (по SNI)https (by certificate)Other then 80, 443 portsDynamic IP addressNew protocols (e.g. QUIC)
"Blackhole DNS" filteringNoYesNoNoNoNoNoNoNo
DPI-based filtering of outcoming traffic, prefiltered with IP ACL (also by BGP)YesYes*Yes*/NoNoYes*/NoNoYes*/NoYes*/NoNo
DPI-based filtering of outcoming traffic with prefiltering by ports (all IP addresses)YesYesYesYesYesNoYes**YesNo
DPI-based filtering of outcoming/incoming traffic with flexible prefiltering by ports and protocols (all IP addresses)YesYesYesYesYesYesYes**YesYes**
DPI-based filtering of all outcoming/incoming trafficYesYesYesYesYesYesYesYesYes
* Used for pre-filtering if IP address is in the list
** You need to add the necessary ports and protocols to the filter list

We offer our customers the most advanced URL filtering method – DPI-based filtering of all outgoing and incoming traffic.

Hardware Platforms

1010/2010/2020/20404080/4120/4160/5200
Platform
Throughput*up to 34 Gbpsup to 200 Gbps
Rack Unit (Mountable)1 U1 U
Connection Setups Per Secondup to 2.3 mlnup to 5 mln
Concurrent Sessionsup to 32 mlnup to 150 mln
Network Interfaces<6x10/100/1000BaseT
Network Cards14
Logging Interface1 x 10/100/1000BaseT1 x 10/100/1000BaseT
Console PortRJ45 (RS232C)RJ45 (RS232C)
Data Storage32 SSD32 SSD
Power Consumption (Typical / Max)140 / 170 W340 / 400 W
Power SupplyDual 200W RPS
100-240 VAC (-36-72 DC)
Dual 500W RPS
100-240 VAC (-36-72 DC)
CoolingStandard FansStandard Fans
Dimensions (W x D x H)430 x 400 x 44 mm440 x 576 x 44 mm
* Packet performance is sufficient to operate at "wire speed" with an average packet size of 480 bytes.

Напишите нам

Вы хотите взять наше оборудование на тест, решить задачу вашего бизнеса или уточнить технические вопросы? Отправьте нам запрос и мы обязательно вам поможем.